Hash functions
•
a hash function produces a fingerprint of some file/message/data
h = H(M)
•

condenses a variable-length message M

to a fixed-sized fingerprint
usually assume that the hash function is public, not keyed

cf. MAC which is keyed
•
hash used to detect changes to message
•
can use in various ways with message
•
most often to create a digital signature, or fingerprint
Authentication via hash functions
+ digital
signature also
Authentication via hash functions (contd.)
•
Secret value is added before hashing and then removed
before transmission
Requirements for hash functions
1.
can be applied to any sized message M
2.
produces fixed-length output h
3.
is easy to compute h=H(M) for any message M
4.
given h is infeasible to find x s.t. H(x)=h
•
one-way property
given x is infeasible to find y s.t. H(y)=H(x)
5.
•
weak collision resistance
is infeasible to find any x,y s.t. H(y)=H(x)
6.
•
strong collision resistance
Simple hash functions
•
there are several proposals for simple functions, based on
XOR of message blocks:
 e.g. longitudinal redundancy check:
 xor of columns of n-bit block arranged in rows
 e.g. above+ circular left shift of hash after each row
 effect of rotated XOR (RXOR) is to randomize the input
•
but these lack weak collision resistance
 simply “add a block” to obtain desired hash
•
need a stronger cryptographic function
Birthday attacks imply need longer hash values
•
You might think a 64-bit hash is secure
•
but by Birthday Paradox is not
•
birthday attack works thus:
•
m

opponent generates 2 /2 variations of a valid message all with
essentially the same meaning

opponent also generates 2
message

two sets of messages are compared to find pair with same hash
(probability > 0.5 by birthday paradox)

have user sign the valid message, then substitute the forgery which
will have a valid signature
m/
2
variations of a desired fraudulent
conclusion is that need to use longer hash values
Hash algorithms
•
similarities in evolution of hash functions & block ciphers
 increasing power of brute-force attacks led to evolution in
algorithms
 from DES to AES in block ciphers
 from MD4 & MD5 to SHA-1 in hash algorithms
•
likewise tend to use common iterative structure as do block
ciphers
Block ciphers as hash functions
•
can use block ciphers as hash functions
 using H0=0 and zero-pad of final block
 compute: Hi = EMi [Hi-1]
 and use final block as the hash value
 similar to cipher block chaining but without a key
•
•
but resulting hash should not be too small (64-bit)
like block ciphers have brute-force attacks, and a
number of analytic attacks on iterated hash functions
MD5
•
designed by Ronald Rivest (the R in RSA)
•
latest in a series of MD2, MD4
•
produces a 128-bit hash value
•
until recently was the most widely used hash algorithm
 in recent times had both brute-force & cryptanalytic concerns
•
specified as Internet standard RFC1321
MD5 overview
1.
pad message so its length is 448 mod 512
2.
append a 64-bit length value to message
3.
initialise 4-word (128-bit) MD buffer (A,B,C,D)
4.
process message in 16-word (512-bit) blocks:
5.

using 4 rounds of 16-bit operations on message block & buffer

add output to buffer input to form new buffer value
output hash value is the final buffer value
MD5 overview
MD4
•
precursor to MD5
•
also produces a 128-bit hash of message
•
has 3 rounds of 16 steps vs 4 in MD5
•
design goals:
 collision resistant (hard to find collisions)
 direct security (no dependence on "hard" problems)
 fast, simple, compact
 favours little-endian systems (e.g., PCs)
Strength of MD5
•
MD5 hash is dependent on all message bits
•
Rivest claimed security is as strong as can be with 128 bit code
•
known attacks are:

Berson 92 attacked any 1 round using differential cryptanalysis (but
can’t extend)

Boer & Bosselaers 93 found a pseudo collision (again unable to extend)

Dobbertin 96 created collisions on MD compression function (but initial
constants prevent exploit)
•
conclusion is that MD5 should be vulnerable soon
Secure Hash Algorithm (SHA-1)
•
SHA was designed by NIST & NSA in 1993, revised 1995 as SHA-1
•
US standard for use with DSA signature scheme

standard is FIPS 180-1 1995, also Internet RFC3174

nb. the algorithm is SHA, the standard is SHS
•
produces 160-bit hash values
•
now the generally preferred hash algorithm
•
based on design of MD4 with key differences
SHA overview
1.
pad message so its length is 448 mod 512
2.
append a 64-bit length value to message
3.
initialise 5-word (160-bit) buffer (A,B,C,D,E) to
(67452301,efcdab89,98badcfe,10325476,c3d2e1f0)
4.
5.
process message in 16-word (512-bit) chunks:

expand 16 words into 80 words by mixing & shifting

use 4 rounds of 20 bit operations on message block & buffer

add output to input to form new buffer value
output hash value is the final buffer value
SHA-1 verses MD5
•
•
brute force attack is harder (160 vs 128 bits for MD5)
not vulnerable to any known attacks (compared to
MD4/5)
•
a little slower than MD5 (80 vs 64 steps)
•
both designed as simple and compact
•
optimised for big endian CPU's (vs MD5 which is optimised
for little endian CPU’s)
Revised secure hash standard
•
NIST have issued a revision FIPS 180-2
•
adds 3 additional hash algorithms
•
SHA-256, SHA-384, SHA-512
•
designed for compatibility with increased security
provided by the AES cipher
•
structure & detail is similar to SHA-1
•
hence analysis should be similar
Reading on Crypto
Comparable to the extent covered in class, read
•
Chapter 3:
3.1-3.4
•
Chapter 5:
5.1
•
Chapter 6:
6.2-6.5
•
Chapter 9:
9.1-9.2
•
Chapter 11:
11.4-11.5
•
Chapter 12:
12.1-12.2